forked from pool/aws-efs-utils
97 lines
4.9 KiB
Diff
97 lines
4.9 KiB
Diff
|
From fbd8d90c88ee26e6020bae0983db7214464a4c46 Mon Sep 17 00:00:00 2001
|
||
|
From: Matthias Gerstner <matthias.gerstner@suse.de>
|
||
|
Date: Wed, 20 Feb 2019 09:43:15 +0100
|
||
|
Subject: [PATCH 1/6] subprocess usage: explicitly pass `close_fds = True`
|
||
|
|
||
|
In python2 the default for `close_fds` is still False, therefore it is
|
||
|
possible that open file descriptors like the logfile are inherited to
|
||
|
child processes. This is prevented by explicitly passing this parameter
|
||
|
to all subprocess invocations.
|
||
|
---
|
||
|
src/mount_efs/__init__.py | 18 ++++++++++--------
|
||
|
src/watchdog/__init__.py | 2 +-
|
||
|
2 files changed, 11 insertions(+), 9 deletions(-)
|
||
|
|
||
|
diff --git a/src/mount_efs/__init__.py b/src/mount_efs/__init__.py
|
||
|
index 833158f..8b15409 100755
|
||
|
--- a/src/mount_efs/__init__.py
|
||
|
+++ b/src/mount_efs/__init__.py
|
||
|
@@ -235,7 +235,7 @@ def is_stunnel_option_supported(stunnel_output, stunnel_option_name):
|
||
|
|
||
|
|
||
|
def get_version_specific_stunnel_options(config):
|
||
|
- proc = subprocess.Popen(['stunnel', '-help'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||
|
+ proc = subprocess.Popen(['stunnel', '-help'], stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True)
|
||
|
proc.wait()
|
||
|
_, err = proc.communicate()
|
||
|
|
||
|
@@ -355,7 +355,7 @@ def check_network_status(fs_id, init_system):
|
||
|
return
|
||
|
|
||
|
with open(os.devnull, 'w') as devnull:
|
||
|
- rc = subprocess.call(['systemctl', 'status', 'network.target'], stdout=devnull, stderr=devnull)
|
||
|
+ rc = subprocess.call(['systemctl', 'status', 'network.target'], stdout=devnull, stderr=devnull, close_fds=True)
|
||
|
|
||
|
if rc != 0:
|
||
|
fatal_error('Failed to mount %s because the network was not yet available, add "_netdev" to your mount options' % fs_id,
|
||
|
@@ -364,19 +364,20 @@ def check_network_status(fs_id, init_system):
|
||
|
|
||
|
def start_watchdog(init_system):
|
||
|
if init_system == 'init':
|
||
|
- proc = subprocess.Popen(['/sbin/status', WATCHDOG_SERVICE], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||
|
+ proc = subprocess.Popen(
|
||
|
+ ['/sbin/status', WATCHDOG_SERVICE], stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True)
|
||
|
status, _ = proc.communicate()
|
||
|
if 'stop' in status:
|
||
|
with open(os.devnull, 'w') as devnull:
|
||
|
- subprocess.Popen(['/sbin/start', WATCHDOG_SERVICE], stdout=devnull, stderr=devnull)
|
||
|
+ subprocess.Popen(['/sbin/start', WATCHDOG_SERVICE], stdout=devnull, stderr=devnull, close_fds=True)
|
||
|
elif 'start' in status:
|
||
|
logging.debug('%s is already running', WATCHDOG_SERVICE)
|
||
|
|
||
|
elif init_system == 'systemd':
|
||
|
- rc = subprocess.call(['systemctl', 'is-active', '--quiet', WATCHDOG_SERVICE])
|
||
|
+ rc = subprocess.call(['systemctl', 'is-active', '--quiet', WATCHDOG_SERVICE], close_fds=True)
|
||
|
if rc != 0:
|
||
|
with open(os.devnull, 'w') as devnull:
|
||
|
- subprocess.Popen(['systemctl', 'start', WATCHDOG_SERVICE], stdout=devnull, stderr=devnull)
|
||
|
+ subprocess.Popen(['systemctl', 'start', WATCHDOG_SERVICE], stdout=devnull, stderr=devnull, close_fds=True)
|
||
|
else:
|
||
|
logging.debug('%s is already running', WATCHDOG_SERVICE)
|
||
|
|
||
|
@@ -404,7 +405,8 @@ def bootstrap_tls(config, init_system, dns_name, fs_id, mountpoint, options, sta
|
||
|
|
||
|
# launch the tunnel in a process group so if it has any child processes, they can be killed easily by the mount watchdog
|
||
|
logging.info('Starting TLS tunnel: "%s"', ' '.join(tunnel_args))
|
||
|
- tunnel_proc = subprocess.Popen(tunnel_args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, preexec_fn=os.setsid)
|
||
|
+ tunnel_proc = subprocess.Popen(
|
||
|
+ tunnel_args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, preexec_fn=os.setsid, close_fds=True)
|
||
|
logging.info('Started TLS tunnel, pid: %d', tunnel_proc.pid)
|
||
|
|
||
|
temp_tls_state_file = write_tls_tunnel_state_file(fs_id, mountpoint, tls_port, tunnel_proc.pid, tunnel_args,
|
||
|
@@ -458,7 +460,7 @@ def mount_nfs(dns_name, path, mountpoint, options):
|
||
|
|
||
|
logging.info('Executing: "%s"', ' '.join(command))
|
||
|
|
||
|
- proc = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||
|
+ proc = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True)
|
||
|
out, err = proc.communicate()
|
||
|
|
||
|
if proc.returncode == 0:
|
||
|
diff --git a/src/watchdog/__init__.py b/src/watchdog/__init__.py
|
||
|
index ea465a7..caca0d9 100755
|
||
|
--- a/src/watchdog/__init__.py
|
||
|
+++ b/src/watchdog/__init__.py
|
||
|
@@ -150,7 +150,7 @@ def is_pid_running(pid):
|
||
|
def start_tls_tunnel(child_procs, state_file, command):
|
||
|
# launch the tunnel in a process group so if it has any child processes, they can be killed easily
|
||
|
logging.info('Starting TLS tunnel: "%s"', ' '.join(command))
|
||
|
- tunnel = subprocess.Popen(command, preexec_fn=os.setsid)
|
||
|
+ tunnel = subprocess.Popen(command, preexec_fn=os.setsid, close_fds=True)
|
||
|
|
||
|
if not is_pid_running(tunnel.pid):
|
||
|
fatal_error('Failed to initialize TLS tunnel for %s' % state_file, 'Failed to start TLS tunnel.')
|
||
|
--
|
||
|
2.21.0
|
||
|
|